In my last post, I argued that we need to view the Equifax breach as a catalyst moment for rethinking the way we handle identification for U.S. citizens. This involves determining the right balance among security, privacy, utility, and cost. In this case, the irony is that technology is likely going to be the easy part.
The Easy Part of Change
We have all the technology pieces to begin the journey to a high-quality, high-security, well-thought-out identity solution for U.S. citizens. We understand the cryptography, biometrics, how to build hardware devices, and how to deploy them to scale to millions of people. We can apply the lessons that we have learned, using proven technologies, from mechanisms such as our financial instruments, as well as look at what has and has not worked in countries that have moved to more modern identity systems.
There are several ways to do this, from simply implementing proven credit card technologies such as “chip and PIN” for personal IDs, to more advanced technologies such as biometrics. Chip and PIN technologies could allow individuals to electronically authenticate with a higher level of security than if they simply asserted a number that another party could keep and potentially use.
India has moved to a national biometric identity program, allowing 1.3 billion citizens to prove their identities through fingerprints, facial recognition, and eye iris scans. The country faced an even more difficult problem than compromised SSNs because there was no single starting database of citizens. Because benefits came with being a citizen, there were concerns that an individual might attempt to register in one town under one name, and then register in another town under another name.
The Indian government addressed this issue by creating a biometrics database to register its population. If your biometrics were already in the database, the government would know that you were a duplicate person. It also provided a mechanism that let you walk into any government office and reprove that you were you.
The Hard Part of Change
What’s going to be more challenging in my view is coming up with a solution that strikes the right balance between security and privacy, and deciding what the scope of this should be.
Is this a solution for individuals to prove their identity for government-related services and transactions, social security, and other government benefits? Or is this the solution for individuals to prove who they claim they are for other types of transactions? States currently provide identity solutions such as driver’s licenses or ID cards. Does the new standard complement that? Does it replace elements of that?
Change will require a good partnership between the private sector and federal, state, and local governments given that identity is something that is used where citizens interact with many forms of government. Even within the private sector, we will need partnerships to determine what is appropriate for different types of private transactions.
These are the difficult questions that need to be debated, but we need to move quickly. Every day that we do not solve this problem sets up the opportunity for criminals to use compromised consumer data for the impersonation of individuals whose data has been breached.
Will We Stop Using SSNs Altogether?
There will certainly be an interim period during the transition that will require SSNs to play a role.
There is a difference between using a number as an identifier and having that identifier be considered sensitive information. Given that lots of data already exist in all sorts of databases and SSNs are used as a part of those datasets, it would be unrealistic to ban their use overnight. But we do need to make sure that they act as part of the identity authorization or identification scheme so that they cannot be used to prove that imposters are the genuine individuals.
It is reasonable that the IRS uses an SSN as a part of its tax accounting solution at least for the near term. But if somebody calls the IRS and simply gives their SSN and date of birth, that in and of itself should no longer be sufficient for the IRS to believe that that individual is definitively who they claim to be. It is the difference between using something as a reference to an individual as opposed to being an authenticator, an instrument that proves an individual identity.
A Catalyst Moment
The world needs to operate during the transition, and we need to have a high level of pragmatism to work through this. At the same time, we should not indefinitely kick the can down the road and ignore the problem, forcing ourselves to default to systems that are inherently insecure.
If we continue to rely on private pieces of information to prove our identity, we will continue to have those pieces of information stolen and misused—which will impact millions of individuals in the United States.
The mega retail breaches of a few years ago changed financial institutions’ perspectives and pushed U.S. merchants to move to chip and PIN credit cards. That series of events was the catalyst that made major industries take a step forward in using available technology. This Equifax event is very similar; it is a catalyst that makes us say: “Let’s talk about this.”
Given the scale of this event, we need to talk and get to work on solving this now.
Read the recent post from Gary Davis for guidance on actions consumers can take to protect themselves in light of the Equifax revelations.